Tag Info

Suppose I have a server-side variable containing JSON, called strJSON that my own code created.
Was it created entirely by your code? Are you certain that at no point does it add in a piece of user input? Are you also certain that at no point in the future will it ever be modified to add in data that comes from user input? If you can be 100% sure of ...

If the JSON string is encoded entirely under your control, it is exploitable to the extent that your encoding method is broken. That said, you should be safe if you're performing a straightforward serialization using a trusted serializer, like so:
var js = new JavaScriptSerializer();
var thingy123 = ThingyRepo.Get(123);
var json = js.Serialize(thingy123);
...

No, there is nothing wrong with evaluating your own code, if you know for certain it's safe. Too many get caught up in blindly following rules. Evaluation of code in a string seems to really bring out strong opinions for some reason.
Evaluation of code in a string is a tool. Learn what it does, how it works, and why it can be unsafe. When you really ...